introduction to cloud computing - webagesolutions.com · "cloud computing is a model for...

© 2018 Web Age Solutions, Inc. All rights reserved

Introduction to C loud Computing


L esson Objectives Introduce the basics of Cloud Computing

Identify c loud goals

Define the key benefits derived from C loud

including the 5 normally stated

characteristics + 1

E xplain service models in C loud

Describe C loud deployment models


W here to begin with C loud C omputing

3

Facilitated understanding and documentation of

the present state of technology for infrastructure,

applications, process, capabilities, and talent

Planning for the future of application development

using C loud infrastructure, platforms, and services

C reation of the plan of prioritized tasks (rocks) to

move the organization (mountain) toward C loud

C omputing and usage of C loud services

The start of Cloud Comput ing in organizat ions usual ly begins w ith:


Getting S tarted

4


W hat is C loud C omputing?

On- demand delivery of IT resources and

applications via the Internet

Cloud providers, e.g. Private, GCP, AW S , Azure

R esources and applications hosted in

geographically distributed data centers that are

designed and built with high scalability and

reliability

U sing application and services with shared

responsibility

Application

Monitoring

Content

Collaboration

Communication

Finance

Platform

Object Storage

Identity Runtime Queue Database

Infrastructure

Compute Block Storage

Network

5


Multi- tenancy

Cloud environments are resource pools that

serve multiple consumers

Multi- tenancy in c loud relies on the use of

virtualization and containerization technologies

C loud IT resources are partitioned so that

computational resources, data, network, etc .

are shared through virtual private c loud (V PC )

E ach tenant is isolated, accessing only their

resources

Application

Business Unit

TeamProject

6


N ational Institute of S tandards and T echnology (N IS T ) Perspective

"Cloud computing is a model for enabling

ubiquitous, convenient, on- demand network access

to a shared pool of configurable computing

resources (e.g., networks, servers, storage,

applications and services) that can be rapidly

provisioned and released with minimal

management effort or service provider interaction."

Furthermore, the c loud model promotes availability

and has the following from their original definition

Five essential characteristics T hree service models

Four deployment models

7

Sof tware as a Service (SaaS)

Platform as a Service (PaaS)

Inf rastructure as a Service (IaaS)

Private Community Public Hybrid

On-demand self -service

Ubiquitous network access Rapid elasticity

Location independent resource pooling Measured service

Virtualization

Grid Technology

Serviced Oriented Architectures

Browser as a Platform

Distributed Computing

Broadband Networks

Free and Open Source Sof tware

Service Level Agreements

Autonomic Systems

Web 2.0

Web Application Frameworks

Utility Computing


C loud C haracteristics (N IS T + 1)

8

Rapid elasticity

Broad network access

On-demand andself -service Resource pooling

Measured service

Managed service


C loud S ervice Models AKA C loud Delivery Models

N IS T defines the following three service delivery models:

9

SaaS PaaS IaaSInf rastructure as

a ServicePlatform as a Service

Sof tware as a Service

EmailCRM

CollaborativeERP

App DevelopmentDecision Support

WebStreaming

CachingLegacy

NetworkingSecurity

FileTechnical

System Mgmt

W e’ll add one more category:

XaaSEverything/ Anything

as a Service


Infrastructure- as- a- S ervice (IaaS )

Cloud provider infrastructure for you to

deploy your own software solution: (virtual)

servers, applications, networking, database,

resource management systems, etc .

Amazon E C 2, Google C ompute E ngine,

Microsoft Azure, OpenS tack, R ackspace,

V MW are

IaaS

10


Platform- as- a- S ervice (PaaS )

The Cloud vendor provides a computing

environment where we run our solutions.

Our solutions use runtimes, APIs , and other

provider services or resources within their

environment

Amazon B eanstalk, C loud Foundry (Pivotal),

Google App E ngine (GAE ), Heroku,

Microsoft Azure

PaaS can be built on top of IaaS , in which

case our PaaS solutions act as consumers

of the IaaS services

PaaS

11

12© 2018 W eb Age S olutions, Inc . All rights reserved

S oftware- as- a- S ervice (S aaS )

V endors provide solutions that we purchase

access to in the form of some sort of

licensing subscription model

S alesforce.com, Google Gmail, Google

Docs, Apple iC loud, Adobe Marketing C loud,

U PS / FedE x S hipping APIs , C yberS ource

V ault

SaaS


S ervice T ype C omparison

U se C loud vendor's software

typically delivered through a

user interface or web services

IaaSDeploy any software

stack that you want

U tilize programming languages

that are supported by the vendor

and runtime environments; your

applications talk to the outside

world though the established API

PaaS SaaS

Y ou forego control in favor of vendor- managed c loud capabilities along this path:

IaaS → PaaS → SaaS


Pizza- as- a- S ervice

Dining Table

Soda

Electric/ Gas

Fire

Pizza Dough

Tomato Sauce

Toppings

Cheese

Oven

TraditionalOn-Premises

Made at home

Dining Table

Soda

Electric/ Gas

Fire

Oven

Pizza Dough

Tomato Sauce

Toppings

Cheese

Inf rastructure as a Service (IaaS)

Take & Bake

Dining Table

Soda

Electric/ Gas

Fire

Oven

Pizza Dough

Tomato Sauce

Toppings

Cheese

Platform as a Service (PaaS)

Delivery

Dining Table

Soda

Electric/ Gas

Fire

Oven

Pizza Dough

Tomato Sauce

Toppings

Cheese

Sof tware as a Service (SaaS)

Dining OutYou Manage

Vendor Manages

Cloud Reference Model

© 2018 W eb Age S olutions, Inc . All rights reserved 15

Gove

rnan

ce/P

rovis

ioning

/Mon

itorin

g/SL

A/Bi

lling

Reso

urce

Infra

stru

ctur

e

Presentation

Applications

Data/Metadata/Content

Integration Layer & Middleware

API’s

Core Connectivity & Delivery

Abstraction Layer

Hardware Facilities

Infra

stru

ctur

e as

a S

ervic

e (Ia

aS)

Plat

form

as

a Se

rvice

(Pa

aS)

Soft

ware

as

a Se

rvice

(Sa

aS)


IaaS Platform N omenclature

API’s

Core Connectivity & Delivery

Abstraction

Hardware

Facilities

IPAM/DNS

Mgmt

ILM/Auth

VMMGrid/

Cluster/Utility

Images

Network Storage

Power HVAC Space


Paas Platform N omenclature

Many PaaS platforms are implemented on top of some sort of IaaS platforms (f rom the same vendor or a 3rd party)

Integration & Middleware ILM/Auth


S aas Platform N omenclature

API’s

Presentation Modality

Presentation Platform

Applications

Data Metadata Content

Data Voice Video

SOAP REST Query

Native Web

PC Mobile

What is XaaS ?

XaaS E verything or Anything- as- a- S ervice is a

collective term for the expansion of As- a- S ervice

from S oftware, Platform and Infrastructure

usages

XaaS is a concept of being able to call up re-

usable, fine- grained software components

across a network, and is a subset of c loud

computing


Everything and Anything as a Service (XaaS )

E nterprise areas of XaaS usage include

MaaS – Monitoring- as- a- S ervice

Maas – Metal- as- a- S ervice

iPaaS – Integration Platform- as- a- S ervice

hpaPaas – High Performance Application Paas

BaaS – B ackup- as- a- S ervice

SECaaS – S ecurity- as- a- S ervice



E xamples of as- a- S ervice

Cloud-Everything

Google App Engine

Google App Engine (often referred to as GAE or

s imply App E ngine) is a platform as a service

(PaaS ) c loud computing platform for developing

and hosting web applications in Google-

managed data centers .

Google App Engine is a ful ly managed platform

that completely abstracts away infrastructure so

Developers focus only on code.

Out of the box, App Engine supports Node.js,

J ava, R uby, C # , Go, Python, and PHP. Developers

from these language communities can be

productive immediately in a familiar environment.

PaaS


Force.com

Platform - as- a- service developed by

S alesforce.com to expand from the C R M

software- as- a- service.

Enables development teams in the building and

management of applications, by allowing them to

focus on the application and not the

infrastructure.

Boomi

Dell B oomi AtomS phere is an

on- demand multi- tenant

c loud integration platform- as-

a- service for connecting

c loud and on- premises

applications and data.

Boomi platform enables

customers to design c loud-

based integration processes

called Atoms and transfer

data between c loud and on-

premises applications.


MuleSoft

MuleSoft is a vendor that provides

an integration platform to connect

applications, data and APIs across

on- premises and c loud computing

environments.

MuleSoft's Anypoint Platform

integrates or connects S aaS

applications and existing legacy

applications through application

programming interfaces (APIs).


ServiceNow

ServiceNow is an Information Technology

S ervice Management tool hosted in c loud and

utilized by customers as a S oftware- as- a- S ervice

(S aaS ).

ServiceNow is used to replace or augment

on- premises IT tools with a modern, easy- to- use

service management solution in the c loud that

requires no infrastructure.



C loud Advantages

Offload capital infrastructure (fixed)

cost to c loud provider

S calability

B usiness agility

Pay- as- you- go model


C loud Deployment Models

Public Cloud Private Cloud Community Cloud

Hybrid Cloud

Traditional Waterfall Computing Scaling and Provisioning


Agile Cloud Computing Scaling and Provisioning



C loud C omputing C hallenges

C ompliance/ S ecurity with rapidly

changing capabilities

C omplexity of solutions and knowledge

management and talent needs

C loud Provider V endor L ock- in or

C loud Provisioning V endor L ock- in

Fit with C urrent People, Process,

T echnology

C ost of S ervice without C hange in

Architecture

Challenges of Enterprise

Cloud Adoption

Compliance/ Security

ComplexityCost and Price

Compatibility with Current IT Inf rastructure


E volution of C loud C omputing

Cloud computing is a result of the convergence of

several technologies and computing paradigms:

V irtualization, 1960s, 1990s, 2000s

Grid computing, early/ late 1990s

L arge Data Centers and Multi- T enancy, late 1990s

S oftware as a S ervice (S aaS ), late 1990s

S ervice Oriented Architecture (S OA) – 2000s

Microservices and Containerization


Cloud U se Cases

33


Discussion

Do you have vis ibility to how C loud is being used

in the Organization?

Is there a C loud C ompetency or C OE currently?

C ould you share some of the successes /

opportunities?

Do you have any other organization specific

insights to share?


S ummary Introduction to the basics of Cloud

C omputing

Identification of c loud goals

Definition of the key benefits derived from

C loud including the 5 normally stated

characteristics

E xplanation of service models in C loud

Description of C loud deployment models

United States744 Yorkway Place, Jenkintown, PA, 19046Toll Free 1 877 517 6540Email [email protected]

Canada821A Bloor Street West, Toronto, Ontario, M6G 1M1Toll Free 1 866 206 4644Email [email protected]

Int roduct ion to Cloud Comput ing



Cloud Computing E nvironment Attributes


L esson ObjectivesCloud standardization

E lastic ity

C loud vendor market place

V irtualization & Containerization

Dynamic infrastructure


C loud S tandardization

The major cloud vendors, including AWS, Google, and Microsoft,

have their own standards for managing their highly proprietary

platform infrastructure

Clients are offered platform- specific programming API,

command- line, and web services interface to interact with the

platform of choice

An attempt is being made to standardize c lient- fac ing

interactions with various platform using the newly developed

open Cloud standards [http:/ / c loud- standards.org/ ]

T he main governing body managing the open Cloud standards

development effort is the Cloud S tandards Customer Council

(CS CC), which inc ludes more than 600 world's leading

organizations that provide the community's feedback to help

design service interfaces

39

SITUATION: There are SO many competing standards.

SITUATION: There are MORE competing standards.

?!? Ridiculous! We need to develop one universal standard that covers everyone’s use cases.Yeah!

SOON:


Cloud S tandardization: An E xample

T he Open C loud C omputing Interface (OC C I) model is built on top of the R esource Oriented

Architecture and uses R E S T web services to handle c lient requests for services such as:

V irtual Machine deployment,

C loud management requests ,

Monitoring queries,

Distributed tracing.

40


C loud Managed S ervices

Cloud services are collectively referred to as managed (by the Cloud platform) services. T hese services have

such Cloud- grade attributes as:

S calability

High availability

R obustness

Metered usage (for billing)

S hared R esponsibility

Automation

Personalized dashboards

W orkflow

Common strategies for logging, automation, notification, monitoring, visualization

41


S hared R esponsibility Model

C loud vendors demarcate the scopes of their and c lient responsibilities :

T he C loud vendor is responsible for

• Providing c loud- grade infrastructure with the perimeter security and intrusion detection in place

C lients are responsible for

• S ecurity of their accounts, networks, and applications, including U ser access control U ser roles Application passwords Instance OS patching N etwork configuration (public / private)

42


V irtualization

To run your servers in IaaS, you wil l need to self- provision them as virtual machine (V M) instances

V endors standardize their platforms on different types of virtualization technologies,

E .g. Amazon Machine Images (AW S AMI) support two types of virtualization: Paravirtual (PV ) and

Hardware V irtual Machine (HV M); Google offers KV M on their C ompute E ngine platform

L ifecycles of V M instances (start/ suspend/ stop/ etc .) are controlled by V irtual Machine Monitors

(V MM)

V MMs are also referred to as hypervisors

C loud vendors implement hypervisor pools to achieve reliability and scalability of their virtualized

operations

A V M is booted from a bootable machine image of an OS of your choice (e.g. U buntu, W indows, or

R HE L )

43


C ontainerization

To run your applications containerized, cloud

providers have offerings to support this common

c loud- native application modernization pattern, e.g.

AW S with E CS and E CR

W ith the widespread adoption of Docker as the

vehic le for containerized microservices and other

application or application components

• Providers are supporting this pattern and adding other services to allow for management

• Kubernetes, Mesos, S warm or custom Container Management Platforms like OpenS hift

• Distributed trac ing, monitoring, AW S X- R ay• E vent- driven models , e.g. AW S L ambda, Azure

Functions, Google Functions, B lueMix OpenW hisk

44


V irtual Machine Images

You deploy your applications on the (guest) OS that runs in a VM

A disk image containing an OS (with optionally pre- installed software)

that can be booted in a V M (and managed by the hypervisor) is called

the bootable OS image

• E xample 1: Amazon W eb S ervices (AW S ) offer an Amazon Machine Image (AMI) which a packaged- up environment containing all the necessary binaries to set up and boot your virtual server instance AMIs are units of deployment Amazon E C2 provides a number of tools for creating an AMI

• E xample 2: Google Compute E ngine uses the KV M hypervisor and only supports guest images running L inux or FreeB S D

45


Applying V irtualization to C loud

Virtualization provides a critical capability to the Cloud computing world

- scaling - through effective utilization of hardware in C loud vendors'

data centers

• Horizontal (and vertical) scaling of server infrastructure and resources meets overall demand as well as c lient- specific demand

Much of a C loud’s ability to seamlessly support multiple end- users with

wildly different usage scenarios and peak- usage demands is enabled by

virtualization

46


C haracteristics of V irtualization

Transparent sharing of resources (memory, network, disk,

CPU , etc .)

• decouples hardware from software• hardware aggregates as a pool of sharable resources

L ive migration

• shift virtual servers between physical hardware instances while running

• fac ilitate zero downtime while still maintaining hardware

Isolation

• limits security exposure• reduces spread of risk

47


Additional C haracteristics of V irtualization

Management

• single point of control across all V Ms• ease deployment burden through repetitive

scripts and templates• block- level rollbacks to prior snapshots in the

event of failure

High availability

• boot virtual servers on alternate hardware in the event of primary hardware failure

• execute multiple instances of a virtual server across multiple hosts

48


W hat about PaaS , S aas and E verything or Anything as- a- S ervice

In PaaS, you do not interact with low level infrastructure

components like V Ms or bootable images – those tasks are

handled transparently by the Cloud vendor

Y our role in the deployment and management of your applications

in PaaS is , for the most part, limited to writing your application in a

language supported by the PaaS sandboxed runtimes, packaging

your application in the required format (e.g. a zip bundle or a W AR

file) and uploading it to a C loud deployment end- point

• S caling is a managed service of PaaS

For S aaS interactions, in most cases, you just need a browser or a

web service end- point

49


C ontainerization for Application C omponentization and Modernization

Containers are a lightweight alternative to full machine virtualization

• It is often called virtualization environment, or OS - level virtualization

• Docker is a very popular open- source system for creating virtual environments as containers

A container encapsulates an application running inside its own operating

environment which is derived from the underlying host OS

Containerization has been popularized by c loud- like processing environments that

require fast server boot- up time

• Platform- as- a- S ervice (PaaS ) vendors such as Heroku, OpenS hift, and Cloud Foundry use L inux containerization

At the moment, the most widely used technology behind containerization is Docker,

originally built from L inuX Containers (L XC), which is a userspace interface for the

L inux kernel containment features (cgroups and namespaces)

Microsoft released Hyper- V and allows for both Docker containers and process

based services in their S ervice Fabric model. T his includes .N E T Core usages

running these environments in L inux and W indows S erver virtualization.

50


V irtualization & C ontainerization: A T ale of T wo T echnologies

Both offer multi - tenancy for guests (OS es and applications)

V irtualization is about translating communication between the hosted OS es and hypervisor

C ontainerization is "native" in that containers share the host OS 's kernel

C ontainers ' OS is the same as the hosts ' OS

V irtualization allows to run multiple guest OS es on the same host, while containerization is limited to

the OS type the host uses

T raditional virtualization offers better protection from "rogue" tenants

C ontainerization offers higher levels of scaling

S ome specialized systems, like Kubernetes [https:/ / kubernetes.io/ ], introduce logical grouping of

containers for intelligent resource management at massive scale

51


Dynamic Infrastructure

Self - provisioning of resources is the key value proposition of

any C loud platform

Y ou can assemble your complete C loud- based solution from a

combination of managed and your own services in the same

way to can assemble a L ego® puzzle

IaaS C loud vendors offer a variety of tools and configuration

templates to dynamically provision and manage the

infrastructure elements you need

N ote: Dynamic infrastructure capability is limited on PaaS

52


Dynamic Infrastructure E xamples

AWS CloudFormation service

• S implifies provisioning and management on AW S using templates

Azure R esource Manager and Quickstart templates

• Allows you to provision and manage your applications along with Quickstart template.

Pivotal C loud Foundry

• Allows you to provision your applications along with their dependencies using a declarative template

T erraform

• Allows you to provision your applications along with their dependencies using IaC templates.

C onfiguration Management T ooling

• C hef, Puppet, Ansible and S alt all provide the ability to dynamically create infrastructure.

53


E lastic ity on Demand

Low latency application scaling is a critical capability of Cloud computing used to elastically accommodate

spikes or drops in demand

It is a standard feature of most c loud platforms

E lastic ity is supported through two major capabilities :

• Auto S caling – both up and down• Cloud B ursting – extending on- premise dedicated applications infrastructure with c loud capabilities

54


C loud Provider S caling S ervices

Examples of Auto Scal ing Services

Amazon Auto S caling S ervice that can increase the

number of your Amazon E C 2 instances (V Ms) during

demand peaks and decrease capacity during demand

valleys to optimize your E C 2 fleet utilization costs

• Metrics used by Auto S caling conditions that trigger scaling activities are collected by the C loudW atch service

Google C ompute E ngine has managed instance groups

that offer autoscaling capabilities

• Y ou define your scaling preferences in the autoscaling policy which specifies the trigger points

55


C loud Providers

The current leaders in this market are:

• Amazon AW S• Microsoft Azure• Google Cloud Platform• IB M B luemix• V MW are

T he c loud vendor space is not limited to those listed above, though – you can shop around to find a

suitable c loud platform; you can start here:

• Cloud Foundry• Heroku/ Force.com• OpenS tack• Accenture Cloud • Adobe Marketing Cloud• R ackspace Cloud • IB M ZL inux

56


Discussion

Do you have experience with one or more c loud

providers?

W hat attributes do you think are the most

important for your usages?

W hat as- a- S ervice solutions are you or your

team using currently or planned for the future?


S ummaryCloud standardization

E lastic ity

C loud vendor market place

V irtualization & Containerization

Dynamic infrastructure



Cloud Comput ing Environment At t ributes



Cloud S ecurity and R isk


L esson Objectives Cloud and InfoSec

Access Control

Application S ecurity

Information and Data S ecurity

N etwork S ecurity

Operational S ecurity

DevOps S ecurity Concerns


C loud S ecurity Domains

62

Security is consistently rated as a major concern

and blockage to c loud adoption

L ack of governance can result in data breaches,

compliance mistakes and growth of shadow IT

C loud security focuses on domains

C loud S ecurity Alliance (C S A) establishes 14

domains for C loud S ecurity Guidance

The adopt ion of Cloud Comput ing brings on many quest ions:


C S A Domains

63


T he C IA of C loud S ecurity

Cloud security in each of the above domains (see

previous s lide) must enforce the three main

princ iples of information security (the CIA triad) for

both data at rest and data in transit:

Confidentiality: data protection against

unauthorized access

Integrity: data protection against modification

and / or deletion

Availability: on- demand provisioning of data to

authorized entities

Application

Monitoring

Content

Collaboration

Communication

Finance

Platform

Object Storage

Identity Runtime Queue Database

Infrastructure

Compute Block Storage

Network

64


Cloud Provider S ecurity S tandards & CertificationsR eview third- party certification, accreditations and validations

your c loud vendor obtained. IS O and S OC are referred to as

horizontal standards, while PC I, HIPAA are vertical standards.

Payment C ard Industry (PC I) Data S ecurity S tandard (DS S )

IS O 27001 Information S ecurity S tandard

Annual S OC 1, S OC 2, and S OC 3 audits

Federal government systems evaluations, e.g. DIAC AP L evel

2 for DoD systems

US Federal Information S ecurity Management Act (F IS MA)

compliance

W here applicable, map your organization's security controls to

internationally recognized security certifications

ISO

PCI-DSSFISMA

GDPR

65

SOCHIPAA


Agile S ecurity R isk Management Process

Perform data security level

categorization

E stablish user security profiles

E stablish security controls

over services against the

security profiles

C ontinuously monitor access

and use of services

C reate feedback loops &

iterate

66


C loud Access S ecurity C ontrols

E valuate security features offered by your c loud

vendor:

Physical security (physical access control to

fac ilities)

U ser system access control

S S H keys

Provider security groups

Identity and Access Management (IAM)

Multi- Factor Authentication (MFA)

B reaking the Glass

IaaS

67

Access Control: Authentication and AuthorizationUser authentication and group - based system access authorization

User and group management can be done using your cloud

vendor's Identity and Access Management (IAM) or s imilar service

The minimum acceptable strength of user passwords and other

credentials as well as their expiration polices can also be enforced

by an IAM service

Identity federation between your corporate directory (Active

Directory, L DAP, etc .) and c loud services, if supported, will let you

re- use existing corporate identities to grant secure access to c loud

resources without the need to create new c loud- based identities

Multi - Factor Authentication (MFA) is becoming a common practice

Use of OAuth, JWT, and API Management functions

Application specifics: Atlas, Ranger, other 3 rd- Party or Open S ource


Data at Rest: Our Data and Cloud Security

Encryption of data at- rest Prevents loss on security breach

AES128/256 is the standard

Encryption of data in - transitPrevents disc losure due to man- in- the- middle attacks

Strong authentication between system components (on- way or two- way)R equired purging of application caches

Compliance with government regulations (HIPAA, Patriot Act, etc.)L ocation of data

Organizations may be subject to regulations that specific data be stored in their own origin

country data centers


Data at Rest: Security Examples

All data at rest (data written and committed to

disk) in Google C ompute E ngine is encrypted

using the AE S - 128- C B C algorithm

AWS offers no encryption for its virtual (EBS)

volumes; the users can implement an

encrypted file system on top of their Amazon

E B S volumes

AWS's S3 object storage uses AES- 256


Network Security: Provider Responsibility

T he S hared R esponsibility C ontract vests the control of

the C loud network service and exposed public API

endpoints in C loud vendors, making them responsible for

protecting their c lients against the following attacks:

Distributed Denial Of Service (DDoS) attacksS tandard DDoS mitigation techniques are: syn cookies and connection throttling

Man- in- the- Middle attacksC loud public API endpoints should be protected by S S L requiring server

authentication

IP SpoofingC loud- hosted instances must be incapable of sending spoofed IP traffic

Port Scanning C lient applications that perform port scanning must be viewed as a violation of the

C loud U ser Policy resulting in investigation and c losing of the account


Network Security: Shared Responsibility

Organizational network access control options:

V L A N ( o r V P C )

Intrusion detection and prevention

Group virtual machines by domain (layer)

Separate management, guest and public networks

IaaS clouds offer virtual firewalls as security groups

(or s imilar concepts) that inc lude a number of rules

for regulating open ports (mapped to available

services, e.g. S S H or POP3) and source IP

address(s); those rules can be applied to your

virtual server instances deployed in different

application tiers


Operational Security

Cloud models aid in reducing the scope of needed

operational activities , leaving Ops to deal with

IaaS: server l i fecycle management (start / pause / stop /

remove), resource provis ioning, app code uploading,

system monitoring and the like

PaaS: app code uploading, system monitoring

Ops should disable unnecessary user accounts and

services (on IaaS )

Use only key- based S S H session authentication

Some cloud vendors offer mechanisms for embedding

authentication keys into virtual machine images (V MI)

meaning that only the owner (Ops) of those credentials

can launch virtual servers based on those V MIs


Zero Trust Security

Zero trust is a security model in which no user,

interface or application is automatically

"trusted“.

In physical implementations of zero trust

security, traffic flows through a centralized

security device, limiting scalability.

Virtual or cloud - based environments allow for

scalability due to their underlying

implementations of software- defined

networking.


Micro- segmentation

Creation of isolated virtual networks that run

parallel to one another.

Creation of zero trust zones with micro -

segmentation with software- defined

networking.

The micro- segmentation approach to network

segmentation is said to improve usability and

security by establishing "zero trust" zones

where more granular access controls can be

enforced.


DevOps Security Concerns

E nterprise areas of XaaS usage inc lude

For all intents and purposes, hardening your application

environment is very much like hardening any W indows, or

Unix server (applies mostly to IaaS )

Cloud applications must be properly partitioned to

minimize the breadth of the exposure, when some parts of

your application are compromised

On IaaS platforms, we evaluate Mandatory Access Control

(MAC ) systems (e.g. AppArmor) to minimize access scopes

Regularly organizations use HoneyPot technology to

identify unknown intruder penetration to the application

infrastructure


Cloud Security Alliance (CSA)

CSA was formed in 2008 and is now on their 4 th iteration of their C loud S ecurity Guidance

and GR C S tack documents

https:/ / c loudsecurityalliance.org/ download/ security- guidance- v4

The CSA GRC Stack is comprised of four separate initiatives: Cloud Audit, CCM, CAIQ and

C loud T rust Protocol (C T P). T he C C M and C AIQ are the two documents that are the most

directly useful for companies trying to assess a given c loud provider's controls and risk

model.

CAIQ questions are used to establish security of your internal and external cloud providers.

T he questions are categorized by control group and then mapped to major compliance

and regulatory standards like C oB iT , HIPAA, PC I and FedR AMP. T hese are referred to as

vertical standards.


https://cloudsecurityalliance.org/download/security-guidance-v4

78© 2018 Web Age Solutions, Inc. All rights reserved

Down on the Farm: Pigs and Chickens• Committed – InfoSec & Leadership

• Involved – Everyone else dedicated to the security of the organization in the move to Cloud as-a-Service and Cloud-native applications

• Neither – 1/3rd quartile, hackers, Kylo Ren


Discussion

How is c loud security being discussed for the

organization?

Are there knowledge stores that outline security

and risk in C loud?

How is InfoS ec part of the pipelines for c loud-

native application modernization in the

organization?

W hat horizontal and vertical standards has your

organization considered or implemented?


S ummary Cloud and InfoSec

Access Control

Application S ecurity

Information and Data S ecurity

N etwork S ecurity

Operational S ecurity

DevOps S ecurity Concerns



Cloud Security and Risk



C loud- native Application ModernizationMaking the move to C loud


L esson ObjectivesCloud adoption steps

Cloud- native

Designing c loud applications

Microservices

Automation & DevOps


Moving to the C loud

While Cloud computing (using Cloud vendor's data centers) is, in

many aspects , s imilar to what you do on- premise, there are

nuances, however, that may make the process of moving to the

c loud costly, if not frustrating

• Moving to C loud computing is a paradigm shift

• It is also an opportunity to undertake application modernization initiatives

Y ou need to educate yourself about C loud's intricac ies , learn and

adopt best practices for designing and implementing Cloud

applications, and, of course, make the right technological choices

Down the road, it is all about making your business successful

and your technological choices must be aligned with the

business objectives of your organization

84


Cloud Kickstart

There are certain steps you need to follow in order to make moving to the Cloud as painless as possible

It is not possible to touch on all the steps each organization, line of business or team would need to

consider, but here are some of the more common first broad directions:

• Create a C loud app from scratch (Green field)

• Migrate an existing on- premise app (B rown field)

W hat are your priorities for C loud- native application modernization

W hat Cloud service models (IaaS , PaaS , or S aaS ) are you already using to accelerate business value?

W hat are your vendors and channel partners doing with Cloud?

W hat is the current capabilities in the organization and have you created a Kaizen skills map?

85


C onsidering B usiness Drivers for C loud Adoption

Your business drivers, to some extent, dictate the choice of the Cloud service model, which will help you

narrow down the search area

If business agility (time to market, fast upgrade cycles) is the most important factor, you need to go with

either PaaS or S aaS

• T his choice needs to be balanced against the complexity of the application you want to create or move

to the c loud

• PaaS and S aaS can dramatically s implify the scope of your S ysAdmin tasks while doing so at a huge

expense of flexibility and availability of technological options at your disposal

• PaaS and S aaS platforms can also satisfy your business ' critical dependency on automatic scalability or

c loud bursting for scale

If your business processes to be moved to the C loud are complex ones with a large number of

dependencies , your choice should, most likely, be IaaS

• IaaS has the capabilities to support new business drivers that may emerge as your C loud presence

solidifies and evolves

• It is possible to connect parts of your application deployed in PaaS and/ or S aaS with those ones in IaaS

86


Deep T houghts on C loud from S cott Adams

87


C loud Adoption and the S tages of V irtualization Maturity

Moving to the Cloud is a major strategic decision which requires a staged approach

According to Gartner R esearch, most organizations tend to go through a typical staged process on

the way to the c loud (some steps may be skipped)

S tage 1 – On- prem server virtualization (server consolidation (count reduction) and better resource

management leading to capital savings, trying out DR through virtualization for business continuity)

S tage 2 – On- prem distributed virtualization (automation of deployment)

S tage 3 – Private C loud (c loud payment model, elastic ity, usage metering)

S tage 4 – Hybrid (respond well during peak loads)

S tage 5 – Public C loud (shift from fixed costs (capital expenses) to variable costs (operational

expenses)

88


Accelerating B usiness V alue through C loud Adoption

89

Stage 1:Server Virtualization

• Consolidation• Capital Expense



90

Stage 2:Distributed Virtualization

• Flexibility and speed• Operational expense, automation• Less downtime



91

Stage 3:Private Cloud

• Self -serve agility• Standardization• IT as a business• Usage metering



92

Stage 4:Hybrid Cloud

• Cost for peak loads• Flexibility for peak loads



93

Stage 5:Public Cloud

• Capital expense elimination• Increased f lexibility (up and down)


Agile C loud Provisioning

There are evolving Cloud standards for platform, service, and

infrastructure

Organizations can adopt vendor- specific or vendor agnostic views of

C loud, e.g. “W e use AW S ”, or “W e use a solution that makes us provider

agnostic”

T o avoid the vendor lock- in s ituation (for both IaaS and PaaS

deployments):

• T ry to use as much of the open and accepted standards to achieve and maintain system interoperability. For example, for web services use B asic Profile 1.0 compliant web services R E S T ful services (wherever practical, favor them over W S - *)

• W rap up native platform API in a generic and portable API with dependency injection to plug platform- specific implementation

94


T welve- factor App Methodology

The good people who worked on the Heroku PaaS platform, summarized their development and

deployment experience in the T welve- factor app methodology for building S oftware- as- a-

S ervice apps: https:/ / 12factor.net/

T he methodology provides guidelines for creating apps (whether you target PaaS or IaaS ) that:

• “U se declarative formats for setup automation, to minimize time and cost for new developers joining the project;

• Have a c lean contract with the underlying operating system, offering maximum portability between execution environments;

• Are suitable for deployment on modern c loud platforms, obviating the need for servers and systems administration;

• Minimize divergence between development and production, enabling continuous deployment for maximum agility;

• And can scale up without s ignificant changes to tooling, architecture, or development practices.”

95

https://12factor.net/


T welve- factor princ iples

96

1. Codebase2. Dependencies3.Conf ig4. Backing services5. Build, Release, Run6. Processes7.Port binding8. Concurrency9. Disposability10..Dev/prod parity11.Logs12.Admin Processes


T welve- factor - C odebase

One codebase per service, component or

application, tracked in revision control; many

deploys to meet the organizational guidance for

Continuous Integration & Delivery (C I/ CD)

T he T welve- factor App recommends one

codebase per app. In a microservices

architecture, the correct approach is one

codebase per service.

T his codebase should be in version control, either

distributed, e.g. git, or centralized, e.g. S V N .

97

Codebase Deploys

production

staging

developer 1

developer 2


T welve- factor - Dependencies

Explicit ly declare and isolate dependencies

R egardless of which platform your application is running on, use the dependency manager

included with your language or framework.

Do not assume that the tool, library or application your code depends on will be there.

How you install operating system or platform dependencies depends on the platform:

• In noncontainerized environments, use a configuration management tool (C hef, Puppet, S alt, Ansible) to install system dependencies.

• In a containerized environment, do this in the Dockerfile.

98


Data is K ing

Same rules apply to on- prem or C loud apps; keep them in

mind when moving your applications to the c loud:

• Data is king• Data outlives applications• Applications outlive integrations

Y ou need to account for variability in your system integration needs when designing your C loud- native applications

99


Monolithic vs. Microservice

100

A monolithic application puts all its functionality into a single process…

…and scales by replicating the monolith on multiple servers.

A microservices architecture puts each element of functionality into a separate service…

…and scales by distributing these services across servers, replicating as needed.


Qualities of Microservices

Componentization via Services

Organized around B usiness C apabilities

Products not Projects

S mart endpoints and dumb pipes

Decentralized Governance

Decentralized Data Management

Infrastructure Automation

Design for failure

E volutionary Design

101


C loud N ative Applications

102

On-Premise Microsof t Azure

Database(Oracle)

Database(RDS)

Web App 1

Microservice 1

Microservice 3 Microservice 1

Microservice 2

Microservice 3

Web App 2


C loud N ative = C hallenges S olved

Increase velocity of software deployments. Agile delivery of new cloud applications in days versus

weeks, and perform platform upgrades in minutes.

E nabling predictability of c loud platform software through all stages of deployments.

S ustainability and supportability to deliver upgrades or c loud infrastructure changes by using the

same C ontinuous Integration / C ontinuous Delivery (C I/ C D) process for all types of deployments.

R eliability in reduction of impact on existing network workloads when patching, updating, or adding

applications and platforms.

Provide operational maturity with dashboard vis ibility into the health of every component,

scalability and the ability for self healing

103


C loud N ative + Agile + DevOps = C hallenges S olved

104


Key C omponents of S uccessful Microservices T eams

“A3 & C”

S hared Accountability for service consistency

Automation of cattle

Architecture patterns

C ulture of C ontainerization

Other keys areas include DevOps, collaboration, gold

master example, and standards

105

WINNERWINNERCHICKENDINNER


Designing for Failure

Microservices architecture based components are designed for

failure.

Any service can fail, anytime

T he c lient application has to respond as gracefully as possible

It's important to be able to detect the failures quickly and, if

possible, automatically restore service

Microservices applications put a lot of emphasis on real- time

monitoring

N etflix S imian Army induces failures of services during the

working day to test the application's resilience and monitoring

106


Microservices In a N utshell

Shift Left. Microservices go hand - in- hand with Agile software development methodologies and

DevOps.

C ompetitive Advantage. C lean, well managed services improve agility and velocity.

T echnology E nabled B usiness. T ime to market and value is enabled by a componentized

application, built on the principal of MV P.

Gold Master. E very organization needs their reference architecture and working examples to

s implify consistent adoption across the enterprise.

107


Data Management C onsiderations

Microservice applications are decomposed to components – smaller independent service applications.

Components are loosely coupled and that inc ludes the backing store

108


Management L ift for Microservices

In some cases, you may satisfy your operational needs by using Apache

Zookeeper ( https:/ / zookeeper.apache.org ) which offers services for

highly reliable distributed coordination, centralized configuration

management , and distributed synchronization

N etflix Open S ource S oftware (OS S ) Center (https:/ / netflix.github.io/ )

provides a complete set of J ava- based infrastructure components that

can be used to support microservices

Y ou may also want to consider moving to a whole new deployment and

execution platform, e.g. C loud Foundry

PaaS (https:/ / www.cloudfoundry.org/ ) or a model like

AT &T Integrated Cloud Platform (AIC) built on OpenS tack

110


S ervice Fabric Application Modernization

Take a traditional monolithic application

L ift and S hift - U se containers or guest executables to host existing code in S ervice Fabric .

Modernization - N ew microservices added alongside existing containerized code.

Innovate - B reak the monolithic into microservices purely based on need.

T ransformed into microservices - the transformation of existing monolithic applications or building new

greenfield applications.

111


Microservice B est Practices

Base Image – Place your log aggregation, security, and patterns in a base docker image that you use to contain your

microservices

Conversation ID – Generate unique ids in the c lient application that flow through the orchestrated use of microservices and

components of the application for traceability and correlation

V ersion – use API versioning in services to allow for identifying the correct service routing and to account for the changes over

time and the use of strategies of blue- green, multiple coexistence, and canary releases

L og Aggregation – Microservices don’t maintain historical logs like applications servers so we have to constantly flow that

information to external log streams like E L K, E L F , S plunk, B ig Data, or other tools

R esiliency – S ervice failure is inevitable over time, ensure you provide telemetry and error handling to notify users , developers,

and operations

S ervice Identification – T he User Agent property is an excellent location to store the name, or logical id, of the service being

invoked. User- Agent:E mployeeS earchS ervice

R eference Architecture – Gold master example of company/ portfolio/ c lient service implementation

112


Discussion

Does the organization have experiences to share

in c loud- native application modernization?

Are teams using T welve- factor, or another

approach, as the basis for Agile S DL C

modernization?

W ho holds the gold master for Microservices

and C loud- native in the various platforms and

technologies used by the organization?


S ummaryCloud adoption steps

Cloud- native

Designing c loud applications

Microservices

Automation & DevOps



Cloud-nat ive Appl icat ion Modernizat ion



T hank you

introduction to cloud computing - webagesolutions.com · "cloud computing is a model for...

Documents